General Bytes said it took 15 hours to release a patch, but by that point, at least 56 BTC had been stolen.
Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts
A Bitcoin ATM manufacturer says more than $1.5 million has been stolen from hot wallets after a devastating breach.
General Bytes says the incident — which happened on March 17 and 18 — "was the most challenging time for us and some of our clients."
According to the company, its cloud service and other standalone servers suffered security breaches after an attacker uncovered a serious vulnerability.
They were able to upload a malicious application that gave them the ability to read and decrypt API keys — unlocking access to funds in hot wallets and exchanges.
These funds could then be sent to other destinations — and worryingly, the attacker had the power to download usernames and password hashes, as well as turn off two-factor authentication.
General Bytes said it took 15 hours to release a patch, but by that point, at least 56 BTC had been stolen.
The company's cloud service has now been closed down — and executives say multiple security audits performed since 2021 hadn't uncovered this vulnerability. A statement added:
"We are collecting data from our clients to validate all the losses; along with internal investigation, we will cooperate with authorities to do everything we can to identify the perpetrator."
According to Ars Technica, customers have now been left on the hook for losses that cannot be reversed.
Crypto ATMs in the Spotlight
Bitcoin ATMs have popped up around the world, with the vast majority of them based in the U.S.
Clampdowns against the machines have begun in the U.K. and Singapore, amid fears they could be used for money laundering by criminals.
The machines are often unregulated, some do not perform Know Your Customer checks, and they normally charge much higher fees than conventional crypto exchanges.
According to CBS News, Bitcoin ATMs are being increasingly used as a tool to execute scams across the country.
One artist was tricked into sending $20,000 to scammers through a Bitcoin ATM — and the fraudsters had threatened to contact the FBI unless they complied with his orders.
Two years on, the 84-year-old has been unable to recover the lost funds — and he is now living with his son because he can't afford to live on his own.